In the physical world, individual persons are able to assess one another by sight, hearing and an accounting of physical attributes. Drivers' licenses, passports and other regulated documents provide verified accountings of attributes that permit individuals to validate who they are, or for others to validate who an individual says he or she is.
Fingerprints, retinal pattern, breath and DNA among other attributes are understood and recognized to be highly individualistic and are widely accepted and used to verify identity. But these attributes are physical and tied to a physical world.
Computers have become commonplace and highly integrated in nearly all aspects of modern life—transcending the bounds of professional and social spaces, computers are a prominent fixture in the workplace, in the home, as mobile devices and in many other places and arenas of daily life and modern existence.
Increasingly individuals are representing themselves in the cyber world of computer systems and computer networks, where digital information in the elemental form of binary data is entirely ignorant of physicality. A critical problem in cyberspace is knowing with whom you are dealing—in short, at the present time there is no precise way to determine the identity of a person in digital space. Friends, families, colleagues may use a common computer, share passwords, or even pretend to be people they are not. Sometimes these actions are benign—sometimes they are not.
Traditionally different systems establish individualized, but similar signup and login procedures to collect information directly from users so as to establish user identities, passwords and other information in the effort to establish at least a notion of an identity for a user.
A typical person over the age of ten in a modern household with access to computer resources may have a number of user accounts, each with a user name and password as well as perhaps additional security measures such as pin numbers, security images, test questions, and the like.
But the redundancy of such systems, especially where use of a system is occasional or only desired for a brief interaction leads to many problems. Users struggling to remember passwords default to the use of simple phrase, such as “password”, “opensaysme”, “abcdgoldfish”, “0p3n4m3” or other simplistic phrases that are easily compromised. Although advances in data storage have increased dramatically in recent years there are still costs involved in archiving data—and establishing a user account and maintaining the data records for such an account may be costly for a system where the a high percentage of users never return.
Indeed, in some cases when a user is faced with forgetting his or her prior login information or being unsure if he or she even has an existing identity, the user may opt to create a new identity rather than try and recover the old identity—an action that further leads to increases in archived data, increased storage requirements, potential maintenance issues, and of course costs in terms of time, energy and money.
Increasingly users are establishing identities with large network based systems that provide a variety of resources, such as social media networks. Comprised usually of many different systems operating in harmony most of these systems permit a user to log in once—a single sign on (SSO) and be remembered as he or she makes use of different resources for different activities, uploading pictures, playing games, posting comments to friends about this or that, researching interests, etc. . . . . Operating collectively, systems of this type may be referred to as a federated system, and once a user has established his or her identity through an initial account setup and login, he or she enjoys access to all elements within the federation seamlessly based on the single sign on.
Digital certificates, also known as public key certificates, are electronic documents that bind a digital signature (a mathematical schema for demonstrating authenticity) to a key, such as a public key, that is tied to an identity. A public key infrastructure (PKI) is a set of hardware, software, people, policies and/or procedures used to create, manage, distribute, use, store and revoke digital certificates. When referring to or working with digital certificates, in many cases a PKI is implied. More simply put, digital certificates are electronic documents that are offered to prove or verify the identity of user. Typically a digital certificate is issued by a certificate authority (CA) that has performed or established some threshold of information to assert that the party to whom the certificate is issues is indeed the party he or she reports to be.
In addition to identifying a person, a digital certificate may also include additional information, which may be used to determine the level of authorization that should be afforded to the holder of the digital certificate. Examples include the duration of validity for the certificate, the user's real name, the user's alternative name, the intermediate certificate authority who issued the certificate, the type of computer system used when requesting the certificate, the type of computer system authorized for use with the certificate, or other such information pertinent to establishing both the identity of the user of the digital certificate as well as the veracity of the root certificate authority ultimately responsible for the apparent authority vested in the digital certificate.
Indeed, digital certificates can and often do provide a great deal of simplicity in authenticating a user as the user has clearly established him or herself in some way that is sufficient for a certificate authority to provide the digital certificate. Relying on a digital certificate can ease a network's reliance on parties having previously established or contemporaneously establishing a local identity—a savings both in terms of time for the user and costs associated with the overhead and storage of the user identity for the local network.
Some attempts have been made to combine single sign on capabilities with the digital certificates, but as these efforts are not truly transparent and typically require a new system acting as a proxy on behalf of the user.
In U.S. Pat. Nos. 7,913,298 and 7,249,375 to Bhatia et all, methods and apparatus for end to end identity propagation are presented by adding a middle tier between the user and a legacy system that requires a username and password to allow single sign on via digital certificates. Simply put the middle tier uses the certificates and the SSO system to authorize the middle tier to access the legacy system on behalf of the user, and therefore act as a proxy. Indeed in Bhatia, the SSO system provides a token to the middle tier “to prove that the middle tier is authorized to act as the user's proxy.” Although perhaps effective in some situations, Bhatia fails to provide a solution for situations where use of a middle tier is impractical or where the user and network desire a more direct form of interaction without an intervening proxy.
In US Patent Application 2002/0144119 to Benantar, methods and systems for network single sign-on using a public key certificate and an associated attribute certificate are again achieved by employing a middle tier system. After an initial configuration phase, the SSO manager application performs password management for the user, such that after the user completes a single authentication process with the SSO manger, the SSO manager acts as an authentication agent to perform subsequent authentication processes that are required by target legacy applications. The user must provide to the middle tier system, i.e. the SSO manager, any necessary information for identifying the target legacy applications which the user desires the middle tier system, e.g. the SSO manager, to act as an intermediary. In other words the user establishes an account with the SSO manager and authorizes the SSO manager to act as an authentication agent to perform subsequent authentication processes that are required by legacy applications. Attributes regarding security clearance or other authorization information associated with the user are embedded in the certificate, and when access to a legacy system is desired, the SSO manager decrypts the encoded certificate to extract the user's traditional login information so that the SSO manger may complete the login on behalf of the user. Again, although perhaps effective in some settings, the requirement of the user to interact directly with the SSO prevents application of Benantar in situations where use of a middle tier is impractical or otherwise undesired, and/or where the user may not wish to establish yet another account.
A single sign on may well simplify the users experience, but verifying and authenticating identity on one SSO system may not fully extend to the granular requirements and desires of different third party networks or applications each desiring different levels of security. Indeed a single digital certificate based on a single sign on may be of little value or use to a plurality of different third party networks or applications. For example the digital certificate used to access a users bank account or investment portfolio more than likely should be different from the same user's digital certificate used to access a coffee shop network—each system having different levels of security, duration for access, etc. . . . .
Moreover, whereas most single sign on systems attempt to streamline a user's multiple identities into one, in many instances the accessed networks or applications may well desire individualized distinctions that truly rely on multiple different identities.
Hence there is a need for a method and system that is capable of overcoming one or more of the above identified challenges.